Technique | How the 'Wild West' was won

USAID uses an online inspection tool to help tame its scattered systems

By William Jackson

Mar 18, 2007

You have to be able to use what you learn

The WebInspect vulnerability scanner from SPI Dynamics produces a wealth of information for the Agency for International Development about the security of its Web resources.

'But we're in the fix-it business,' said Bill Geimer, program manager for USAID contractor Open System Sciences. 'It doesn't mean a thing if you can't use it to get things fixed.'

This means that the data from the scans has to reach the administrators and executives around the world who own those resources in a way that is useful.The quality of the information provided by WebInspect is fine, said USAID CISO Phil Heneghan. The reports not only identify vulnerabilities, they prioritize them and provide information on correcting them. But the quantity is a problem.

'The reports are almost too big,' Heneghan said. An initial scan of a system can produce 400 or 500 pages of data, far more than the average administrator has time to wade through.

A solution to this will be to Web-enable the WebInspect reports, letting administrators find the information they need through a Web portal rather than a printed report. SPI Dynamics plans to include this feature in a future release of its product. The feature will also make it easier to tailor reports for specific audiences.

'You can point and click and get all the technical jargon,' said John Kemon, information security analyst for Open System Sciences. 'But at the end of the day, you need to have the support of the executive level,' who do not have the technical expertise of systems administrators.

Deciding when applications get fixed requires prioritizing not only the vulnerabilities, but also the application itself and the processes it is associated with.

'The process is as important as the technology,' Geimer said.

Checking UP: Phil Heneghan says USAID runs six networks worldwide.

Rick Steele

The Agency for International Development traces its roots back to the post-World War II Marshall Plan for rebuilding Europe, and was established as an independent agency in 1961.

'When our IT began there wasn't a network, let alone an Internet,' said chief information security officer Phil Heneghan. 'You had the Wild West,' with software development being done in a variety of coding languages at sites scattered around the world.

Today the agency operates six networks serving sites in 80 countries. Complying with federal privacy requirements and ensuring security meant reining in this environment, and Heneghan wanted a tool to review the code on the networks to look for bugs and vulnerabilities.

'We wanted to find out what we were exposed to,' he said. 'But the problem we set out to solve was not the one we ended up solving.'

It turned out that examining all that code in all those languages was too complex a job to swallow in one bite.

'We said, 'Let's not worry about the past. Let's look at the future.' ' The future was the Web. Senior officials at USAID had been pushing for more applications to be Web-enabled, 'because we were so distributed.'

For the past year the agency has been using the WebInspect tool from SPI Dynamics Inc. of Atlanta to scan for and correct security flaws in its Web applications. The agency gave up a little bit in opting for application scanning rather than a full code analysis, said Bill Geimer, program manager with the USAID contractor Open System Sciences of Newington, Va. 'But you carve it up into a problem you can solve.'

The result has been better security on the public-facing sites operated by USAID.'There's tons of problems,' Heneghan said. 'But as soon as we started giving our administrators the data, we started getting compliance almost overnight.'The agency began reining in its online environment about 18 months ago. The first step was to simply find out what was out there.

'We had to find everything and inventory it,' Heneghan said.

Some USAID sites were using the .org domain instead of .gov, some were improperly using cookies and some had been set up to process donations for other organizations. Cleaning up a lot of this was fairly straightforward'it was either allowed or it wasn't. But assessing vulnerabilities was a subtler problem, and goals had to be adjusted to conform to capabilities.

'We were looking for a tool to help look for security vulnerabilities in the code,' Geimer said. 'We found that they are language-specific.'

Without a standardized development environment, USAID had code written in too many languages to effectively address them all. 'We couldn't really get our arms around it with a strict code assessment,' Geimer said, so the decision was made to look at the application instead, and to focus on the Web.

This is becoming a more common security tactic, said Caleb Sima, CTO of SPI Dynamics. Several years ago, the usual route for a hacker into an enterprise was through network vulnerabilities.

Next frontier

'Today, most of those problems are being solved,' Sima said. 'Hackers have moved to the next level, which is Web security.'

These public-facing sites often have links into the enterprise and contain weaknesses opening them to attacks such as SQL injection, in which malformed data submitted in SQL queries can be used to exploit vulnerabilities, or cross-site scripting, in which disguised or hidden links can direct a browser to unknown sites.

'Developers of Web applications are not security people,' Sima said.

USAID selected WebInspect after evaluating more than a dozen scanning tools. 'About 18 months ago, that was the best choice for us,' said John Kemon,information security analyst for Open System Sciences.

Rather than searching for signatures, the WebInspect scanning engine works like an automated hacker, using known techniques and methods to find vulnerabilities. If it finds a problem, such as input data not being validated, it will experiment with commands for SQL injection to determine what is accepted and what types of manipulation are allowed. The engine is updated regularly to keep it abreast of new techniques.

USAID uses 12 WebInspect scanners to check its six networks, all managed from a central Assessment Management Platform server. Setting it up and making it operational was easy, Kemon said. There were no big problems, only minor bugs to work out.

The scanner not only found security problems, it also replaced a number of other point solution tools used for tasks such as measuring Section 508 compliance, finding broken links and looking for cookies.

'By getting this, we were able to get rid of a lot of other tools,' Heneghan said. 'They were useful, but from a management point of view, it was a nightmare.'

In its first phase of operations, the agency is using WebInspect to find and correct problems in spot-checks of existing applications.

'We're still trying to clean up all of the old applications,' Heneghan said.Once that has been achieved, the next phase will be ongoing, regularly scheduled scans to make sure that all applications stay secure.

The third phase will be to include vulnerability scans as a regular part of the development process for quality assurance.

'We're doing that on an as-called basis now,' Heneghan said. 'When the programmers see it, they love it.'